The current upstream main branch relies on manual validation plus the
pre-commit hook. It does not yet ship a dedicated kind smoke-test or RBAC drift
script.
.githooks/pre-commit is the first line of defense.
Install it once per clone:
git config core.hooksPath .githooksIt enforces:
- static AppProject RBAC denylist checks (no static project may forget to
blacklist
RoleandRoleBinding, unless explicitly opted out with# rbac-lint: ignore) - feature-branch revision checks for critical manifests (
base/argo-projects.yaml,base/mip-infrastructure/mip-infrastructure.yaml,common/security/netpol.yaml)
Before opening a PR, make sure the key manifests still render cleanly:
kubectl kustomize argo-setup/patches >/dev/null
kubectl apply --dry-run=client -f base/argo-projects.yaml >/dev/null
kubectl apply --dry-run=client -f projects/mip-infrastructure.yaml >/dev/nullIf you changed a specific component under common/ or deployments/, render
that path too.
Once the manifests are applied to a real cluster, verify the bootstrap objects and Applications show up as expected:
kubectl get applicationsets -n argocd-mip-team
kubectl get appprojects -n argocd-mip-team
argocd app list
argocd app get <app-name>Expected steady state:
- the
defaultAppProject is deny-all - the static AppProjects exist in
argocd-mip-team - the
mip-infrastructureApplicationSet creates the expected Applications - synced Applications move to
Healthyafter required secrets are present
scripts/gen_secrets.sh is the only helper script
currently shipped on upstream main. Use it after the federation namespaces
exist to create the required keycloak-credentials and mip-secret objects.